@dennypage said in netisr running close to 100% on a single core: @Gustas said in netisr running close to 100% on a single core: Do you have both WAN and LAN enabled as Monitored Interfaces in ntopng by chance? Yes, we do. Can that be the issue? Certainly a contributor. There is a caution in the pfSense ntopng package when selection interfaces to monitor that says "It is generally not recommended to monitor WAN interfaces." At a minimum, it will double your load. You should remove any WAN interfaces from the list of Monitored Interfaces. Also, if you have any form of active discovery enabled inside ntopng itself, be sure to turn that off as well. Sorry, I just checked and monitoring in ntop is configured only for internal interfaces, WAN is not being monitored. Sorry for misleading you.

@mcury I changed back to 389 and same problem now, BIND failed connection ok. I have configured 60-70 pfsense without any problem in LDAPS I have windows serevr 2025 and also disable LDAP required signing.

Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?

Thanks that worked!! Much appreciated.

@tinfoilmatt Unbound works properly with DOT in n forwaring mode Bind9 pfsense implementation no Bind9 with pkg install works What unbound is missing is forwarders by zone. Actually it is only global. When you override dns in dhcp, you cannot forward 53 to dot in unbound. You have to block it in fw rules and enforce a dot rule to the given server. But you could loose tls auth too as dhcp overrides do not provide domain name. It'll need to be set in client Basically, bind has the advantage of forwarding by zone and much more

The VLAN you would need would be on the switch in order to separate the WAN and LAN network segments. Or connect the pfSense WAN to whatever upstream router you have directly so the switch is only the LAN.

Hmm, interesting. Let me see.....

@johnpoz Thank you for the tips on how to find the associated blocking rule. Unfortunately, there have been so many blocks that all my filter.log.* files only go back several hours but not to yesterday morning. So I will have to wait until the problem reoccurs. I may need to the weekend to play with this. @SteveITS The next time this occurs, I will check for a change of the IPv6 address. I believe that I checked the last for letters and there was no change. But this is preliminary and I certainly did not check the entire address. I will post back here when I have an update. In the meantime, I appreciate the troubleshooting tips described above.

@luckman212 The final release 25.07 stable is live and running on my system. ️

@stephenw10 , In versions 2.7.x and 2.8, the problem with limiters on a WAN that isn't the default route occurs. The last version that worked correctly was 2.6.0. The evidence and tests performed in each version are documented. Thank you very much and I hope you can validate from version 2.7.x onwards that the limiters no longer work in a WAN that is not the default . thanks. In 2.6.0 the limiter uses the private IP as source and destination, to control the BW for each IP In 2.8 and 2.7.x the limiter uses the public IP as the source and the private IP as the destination, that is, for the upload it uses the public IP after applying NAT, this does not limit each connection from the LAN, it limits the entire bandwidth [image: 1754342256028-3031a675-6d14-4702-98be-a788da8e8744-image.png]

Nachtrag 2 Stunden später.... Mir hat das alles keine Ruhe mehr gelassen - hab jetzt vor Ort (Client Seite) die Pfsense ausgetauscht gegen eine frisch installierte Variante - nur mal ganz schnell WAN, Lan DHCP und OpenVPN eingerichtet - und die Verbindung ist da und stabil.... Ich fress nen Besen Quer .... Entweder hats beim Update irgend eine Einstellung zerschossen die ich trotz 20 mal drüber schauen nicht gesehen habe oder es hat was am System zerlegt..... Pffffff - spannend ... Grüße GTR

@tariqali Yeah, well thanks to keepass xc i have both saved. Besides I actually push a config backup to my pc regularly and after bigger changes. That is also saved to my nas and is unencrypted (pure hobby usage).

Hi again, to be honest: I guess, I did not remember exactly what I did 2 years ago. May I was mistaken by the interface name opt2 because the SG-3100 has a physical port OPT1 and I mixed up physical and virtual names. The goal was to use 2 different tunnels, one for the mobile clients and one for the site-2-site connection. And now all is running in that way . Regards

@Gertjan said in can I install a FreeBSD 14 pkg on a FreeBSD 15 pfSense?: If the package contains binaries : forget it. The ABI is different. It's not a hard and fast rule like that. It depends upon what the binary is, what dependencies it has, and how everything was compiled. I am currently running a binary package, which was built on FreeBSD 14.2-RELEASE, on pfSense 25.07 (FreeBSD 15.0-CURRENT) without issue.

@chrcoluk SWEEEEEEEEEEEEEEEEET. Thank you so much for your help!!!! I guess I dont need to do the bind method then! Thank goodness!!

You'll need to use the manual firewall rule option with sloppy states and TCP flags set in the advanced rules section like: https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html#manual-fix You may need to add that as an floating rule with direction any and source/destination values that match traffic both ways between the old and new subnets to be sure. But it should be pretty clear from the firewall logs what traffic is actually being blocked.

@70tas Thanks! So different issue, same/similar symptom then.

Where should I block it? In the firewall rules? Thanks a lot! :) spotify premium seruapk